Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TS 33.222  Word version:  16.1.0

Top   Top   Up   Prev   None
0…   4…
4 Overview of the Security Architecture5 Authentication schemes6 Use of Authentication ProxyA Technical Solutions for Access to Application Servers via Authentication Proxy and HTTPSB Guidance on Certificate-based mutual authentication between UE and application serverC Considerations for GBA security using a web browser and JavascriptD Security measures for usage of GBA with a web browser$ Change history

 

4  Overview of the Security Architecture

5  Authentication schemesWord‑p. 11

5.1  Reference model

5.2  General requirements and principles

5.2.1  Requirements on the UE

5.2.2  Requirements on the NAF

5.3  Shared key-based UE authentication with certificate-based NAF authenticationWord‑p. 12

5.3.0  Procedures |R11|

5.3.1  TLS profileWord‑p. 13

5.3.1.0  General |R11|

5.3.1.1  Protection mechanismsWord‑p. 14

5.3.1.2Void

5.3.1.3  Authentication of the AP/AS

5.3.1.4  Authentication Failures

5.3.1.5  Set-up of Security parameters

5.3.1.6  Error cases

5.4  Shared key-based mutual authentication between UE and NAFWord‑p. 15

5.4.0  Procedures |R11|

5.4.1  TLS ProfileWord‑p. 16

5.4.1.0  General |R11|

5.4.1.1  Protection mechanisms

5.4.1.2  Authentication of the AP/ASWord‑p. 17

5.4.1.3  Authentication Failures

5.4.1.4  Set-up of Security parameters

5.5  Certificate based mutual authentication between UE and application server

5.5.1  General |R7|

5.5.2  TLS Profile |R7|

5.5.2.1  General

5.5.2.2  Protection mechanismsWord‑p. 18

5.5.2.3Void

6  Use of Authentication ProxyWord‑p. 19

6.1  Architectural view

6.2  Requirements and principlesWord‑p. 20

6.4  Reference pointsWord‑p. 21

6.4.1  Ua reference point

6.4.2  AP-AS reference point

6.5  Management of UE identity

6.5.1  Granularity of Authentication and Access Control by AP

6.5.1.1  Authorised Participant of GBA

6.5.1.2  Authorised User of ApplicationWord‑p. 22

6.5.2  Transfer of Asserted Identity from AP to AS

6.5.2.1  Authorised Participant of GBA

6.5.2.2  Authorised User of Application Anonymous to AS

6.5.2.3  Authorised User of Application with Transferred Identity asserted to AS

6.5.2.4  Authorised User of Application with Transferred Identity asserted to AS and Check of User Inserted IdentityWord‑p. 23

A  Technical Solutions for Access to Application Servers via Authentication Proxy and HTTPSWord‑p. 24

B  Guidance on Certificate-based mutual authentication between UE and application serverWord‑p. 25

C  Considerations for GBA security using a web browser and Javascript |R12|Word‑p. 26

C.1  Usage Scenario

C.2  Threats

C.3  Control of GBA Credentials and GBA Module in the UEWord‑p. 27

C.3.1  General

C.3.2  Control Mechanism 1 - Same Origin Authentication Tokens

C.3.3  Control Mechanism 2 - Server Authenticated TLS

C.3.4  Control Mechanism 3 - Channel Binding

C.3.5  Control Mechanism 4 - Key Usage

C.4  Security ConsiderationsWord‑p. 28

C.4.1  General Scripting Security Considerations

C.4.2  GBA key control

C.4.3  User grants

C.4.4  Root CAs in Browser

D (Normative)  Security measures for usage of GBA with a web browser |R12|Word‑p. 30

D.1  Extension of Protocol Mechanism used on Ua Reference Point

D.1.1  General

D.1.2  Key derivation

D.1.3  Channel binding

D.1.3.1  Background

D.1.3.2  Channel binding using RFC 5705 and RFC 5929Word‑p. 31

D.2  Sequence flow

D.2.1  Sequence flow with channel binding

D.3  Javascript GBA API descriptionWord‑p. 35

D.3.1  GBA API Description

D.3.2  API usageWord‑p. 36

$  Change historyWord‑p. 38

Up   Top